DEVHIDE
Login Or Sign up

Unable to impersonate user when authenticated using auth_kerb listener

1.5k Views Asked by At

I am trying to set up switch_user functionality on an application which authenticates using Apache's auth_kerb. REMOTE_USER is returned correctly and am able to log in. However when I try to masquerade as a different user I am unable to. The user I wish to switch to does exist within the application. The attempt to switch user occurs but pre authentication is called again and the initial REMOTE_USER is loaded.

Any ideas on how to get switch_user working using remote_user and custom user provider?

security.yml

security:
    providers:
        webservice_user_provider:
            id: webservice_user_provider
    ...

    firewalls:
        secured_area:
            switch_user: { role: ROLE_ALLOWED_TO_SWITCH, parameter: _masquerade }
            pattern:    ^/

            remote_user:
                provider: webservice_user_provider
    ...

services.yml

parameters:
    account.security_listener.class: Acme\MyUserBundle\Listener\SecurityListener

services:
    account.security_listener:
       class: %account.security_listener.class%
       arguments: ['@security.authorization_checker', '@session', '@doctrine.orm.entity_manager', '@router', '@event_dispatcher']
       tags:
         - { name: kernel.event_listener, event: security.authentication.failure, method: onAuthenticationFailure }
         - { name: kernel.event_listener, event: security.interactive_login, method: onSecurityInteractiveLogin }
         - { name: kernel.event_listener, event: security.switch_user, method: onSecuritySwitchUser }

    webservice_user_provider:
        class: Acme\MyUserBundle\Security\User\WebserviceUserProvider
        calls:
        - [setEntityManager , ['@logger', '@doctrine.orm.entity_manager']]

    ...

SecurityListener.php

namespace Acme\MyUserBundle\Listener;

use ...

/**
 * Class SecurityListener
 * @package Acme\MyUserBundle\Listener
 */
class SecurityListener {
  protected $session;
  protected $security;
  protected $em;
  protected $router;
  protected $dispatcher;

  public function __construct(
      AuthorizationCheckerInterface $security, 
      Session $session, 
      EntityManager $em, 
      UrlGeneratorInterface $router,
      EventDispatcherInterface $dispatcher
     // TraceableEventDispatcher $dispatcher
     // ContainerAwareEventDispatcher $dispatcher
  ) {
    $this->security = $security;
    $this->session = $session;
    $this->em = $em;
    $this->router = $router;
    $this->dispatcher = $dispatcher;
  }

  /**
   * 
   * @param AuthenticationFailureEvent $event
   * @throws AuthenticationException
   */
  public function onAuthenticationFailure(AuthenticationFailureEvent $event) {
    throw new  AuthenticationException($event->getAuthenticationException());
  }

  /**
   * @param InteractiveLoginEvent $event
   */
  public function onSecurityInteractiveLogin(InteractiveLoginEvent $event) {
    // set some defaults...
  }

  /**
   * @param SwitchUserEvent $event
   */
  public function onSecuritySwitchUser(SwitchUserEvent $event) {
    $this->dispatcher->addListener(KernelEvents::RESPONSE, array($this, 'onSwitchUserResponse'));
  }

  /**
   * @param FilterResponseEvent $event
   */
  public function onSwitchUserResponse(FilterResponseEvent $event) {
    $response = new RedirectResponse($this->router->generate('acme_mybundle_default_index'));
    $event->setResponse($response);
  }

}

WebServiceProvider.php

namespace Acme\MyUserBundle\Security\User;

use ...

class WebserviceUserProvider implements UserProviderInterface {
  protected $entityManager;
  protected $logger;

  /**
   * 
   * @param LoggerInterface $logger
   * @param EntityManager $em
   */
  public function setEntityManager(LoggerInterface $logger, EntityManager $em) {
    $this->logger = $logger;
    $this->entityManager = $em;
  }

  /**
   * 
   * @param string $username
   * @return Person
   * @throws UsernameNotFoundException
   */
  public function loadUserByUsername($username) {
    # Find the person
    $person = $this->entityManager->getRepository('AcmeMyBundle:Person')
        ->find($username);

    if ($person) {
      $this->logger->debug("Logged in, finding person: " . $person->getUsername());
      return $person;
    }

    throw new UsernameNotFoundException(
      sprintf('Username "%s" does not exist.', $username)
    );
  }

  /**
   *
   * @param \Symfony\Component\Security\Core\User\UserInterface $person
   * @throws \Symfony\Component\Security\Core\Exception\UnsupportedUserException
   * @internal param \Symfony\Component\Security\Core\User\UserInterface $user
   * @return Person
   */
  public function refreshUser(UserInterface $person) {
    if (!$person instanceof Person) {
      throw new UnsupportedUserException(
        sprintf('Instances of "%s" are not supported.', get_class($person))
      );
    }

    return $this->loadUserByUsername($person->getUsername());
  }

  /**
   * 
   * @param type $class
   * @return type
   */
  public function supportsClass($class) {
    return $class === 'Acme\MyBundle\Entity\Person';
  }

}
symfony symfony-2.6 switch-user mod-auth-kerb
Original Q&A
1

There are 1 best solutions below

0
On

This fix involves adapting AbstractPreAuthenticatedListener to check for the existence of the standard token that matches the logged in user, and if not a customised token that has stored the logged in user, but is attached to the 'switched to' userid.

This is the important (non copied) part of the code:

if (null !== $token = $this->securityContext->getToken()) {
  if ($token instanceof PreAuthenticatedToken && $this->providerKey == $token->getProviderKey() && $token->isAuthenticated() && $token->getUsername() === $user) {
    return;
  }
  // Switch user token. Check the original token.
  if ($token instanceof PreAuthenticatedSwitchUserToken && $this->providerKey == $token->getProviderKey() && $token->isAuthenticated() && $token->getOriginalUsername() === $user) {
    return;
  }
}

The token stores the logged in user and returns it with getOriginalUsername.

Store the existing authentication data (passed in $preAuthenticatedData)

/**
 * Constructor.
 */

public function __construct($user, $credentials, $providerKey, array $roles = array(), $preAuthenticatedData) { parent::__construct($roles);

if (empty($providerKey)) {
  throw new \InvalidArgumentException('$providerKey must not be empty.');
}

$this->setUser($user);
$this->credentials = $credentials;
$this->providerKey = $providerKey;

if (!is_array($preAuthenticatedData) && count($preAuthenticatedData) > 0) {
  throw new \InvalidArgumentException('No preauthenticated data. Must have the server login credentials.');

}
$this->original_username = $preAuthenticatedData[0];

if ($roles) {
  $this->setAuthenticated(true);
}

}

Getter

public function getOriginalUsername() {
  return $this->original_username;
}

Stash changes

/**
 * {@inheritdoc}
 */
public function serialize()
{
  return serialize(array($this->credentials, $this->providerKey, $this->original_username, parent::serialize()));
}

/**
 * {@inheritdoc}
 */
 public function unserialize($str)
 {
   list($this->credentials, $this->providerKey, $this->original_username, $parentStr) = unserialize($str);
   parent::unserialize($parentStr);
 }

These changes fit into the context of broader customisation of the Symfony security system. The source code for this is in github.

1 services.yml

Set account.security_listener, security.authentication.switchuser_listener and security.authentication.listener.remote_user_switch

This is in addition to the expected user provider.

2 security.yml

Use this security provider

secured_area:
  switch_user: { role: ROLE_ALLOWED_TO_SWITCH, parameter: _masquerade }
  pattern:    ^/

  remote_user_switch:
    provider: webservice_user_provider

3 Check that the user provider loads the backing data for your user.

4 Install security files.

  • RemoteUserSwitchFactory.php: defines the listener to handle the
    authentication events.
  • PreAuthenticatedWithSwitchUserListener.php: our special authentication logic. SwitchUserListener.php: handles the switch user event.
  • PreAuthenticatedSwitchUserToken.php: token to store the logged in user as secondary data.
  • WebserviceUser.php: our user data entity
  • WebserviceUserProvider.php: queries for user data.

Related Questions in SYMFONY

Related Questions in SYMFONY-2.6

Related Questions in SWITCH-USER

Related Questions in MOD-AUTH-KERB

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.